Finding
PR #45490 introduced reflected CAPI endpoint routing — Claude and Codex engine providers now resolve their API endpoints dynamically via a reflected endpoint source. This opens a new Tier B attack surface with High exposure amplification: if the endpoint reflection source can be influenced by untrusted input, an attacker could redirect LLM API calls to an attacker-controlled server (SSRF) or inject crafted endpoint paths.
Risk Scoring
| Dimension |
Score |
Rationale |
| Exposure amplification |
High |
LLM provider endpoints; compromise could intercept model I/O |
| Patchability |
Medium |
Requires architectural validation of trust boundary |
| Detectability |
Medium |
Endpoint mismatch may not surface in normal observability |
| Operational fragility |
Medium |
Wrong endpoint = silent routing failure |
| Ownership confidence |
High |
pelikhan active maintainer |
Tier: B — Open With Conditions
SLA: High — 7 days
Remediation Actions
- Audit the source of reflected endpoint values in
#45490 — confirm they come from a trusted, static configuration and not user-supplied or workflow-supplied input.
- Add validation that resolved endpoints match an allowlist of known provider domains (e.g.
api.github.com, api.anthropic.com, api.openai.com).
- Add a test asserting that a crafted/invalid reflection value is rejected before it reaches the HTTP client.
- Document the trust boundary for reflected endpoints in the engine provider interface.
References
Generated by UK AI Operational Resilience · 51.7 AIC · ⌖ 8.06 AIC · ⊞ 5.1K · ◷
Finding
PR #45490 introduced reflected CAPI endpoint routing — Claude and Codex engine providers now resolve their API endpoints dynamically via a reflected endpoint source. This opens a new Tier B attack surface with High exposure amplification: if the endpoint reflection source can be influenced by untrusted input, an attacker could redirect LLM API calls to an attacker-controlled server (SSRF) or inject crafted endpoint paths.
Risk Scoring
Tier: B — Open With Conditions
SLA: High — 7 days
Remediation Actions
#45490— confirm they come from a trusted, static configuration and not user-supplied or workflow-supplied input.api.github.com,api.anthropic.com,api.openai.com).References